Windows 8 and 8.1 Forums


BitLocker - Turn On or Off for OS Drive in Windows 8

  1. #1
    BitLocker - Turn On or Off for OS Drive in Windows 8

    BitLocker - Turn On or Off for OS Drive in Windows 8
    How to Turn On or Off BitLocker for Windows 8 OS Drive with or without TPM
    Published by Brink is offline
    28 Feb 2013
    Default BitLocker - Turn On or Off for OS Drive in Windows 8

    Published by


    Brink's Avatar
    Administrator

    Join Date: Jul 2009
    Posts: 21,597

    How to Turn On or Off BitLocker for Windows 8 OS Drive with or without TPM


    information   Information
    BitLocker Drive Encryption provides protection for operating system drives, fixed data drives, and removable data drives that are lost or stolen. BitLocker does this by encrypting the contents of drives and requiring users to authenticate their credentials to be able to access the information. Encrypting the entire Windows 8 operating system drive on the hard disk encrypts all user files and system files on the OS drive, including the swap (page) files and hibernation files.

    This tutorial will show you how to turn on or off BitLocker to encrypt or decrypt the operating system drive in Windows 8 and 8.1 with or without a TPM.

    You must be signed in as an administrator to be able to do the steps in this tutorial.

    Note   Note

    • For computers that boot natively with UEFI firmware, BitLocker requires at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive.
    • For computers with legacy BIOS firmware, BitLocker requires at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
    • The system drive partition must be at least 350 MB and set as the active partition. If you do not have a system partition, then BitLocker will check for and create one automatically if able step 7 in OPTION ONE below.
    • To be able to automatically unlock fixed data drives, the drive that Windows 8 is installed on must also be encrypted by BitLocker.
    • Any files saved to an encrypted drive will automatically be encrypted as well.
    • Files remain encrypted only while they are stored on the encrypted drive. Files will be decrypted if they are copied on another drive, partition, or PC.
    • Users who use BitLocker to protect the content of their personal files can also use File History as it seamlessly supports BitLocker on both source and destination drives.
    • If you create a system image or backup of an unlocked encrypted drive, the files in the saved image or backup will be decrypted.
    • If you share files with other people, such as through a network, the files are encrypted as long as they're stored on the same encrypted drive, and they can be accessed by authorized people or people you've given permission to.
    • You will be able to unlock the encrypted Windows 8 OS drive at boot using either a password or a connected USB flash drive containing the startup key.
    • If you select to use a USB flash drive to unlock the Windows 8 OS drive with at boot, then you will need to make sure that you have your BIOS or UEFI set to allow reading from a USB drives at boot. Most are by default.
    • When using BitLocker with a TPM, it is recommended that BitLocker be turned on immediately after the computer has been restarted. If the computer has resumed from sleep prior to turning on BitLocker, the TPM may incorrectly measure the pre-boot components on the computer. In this situation, when the user subsequently attempts to unlock the computer, the TPM verification check will fail and the computer will enter BitLocker recovery mode and prompt the user to provide recovery information before unlocking the drive.


    For more information, see: BitLocker Frequently Asked Questions (FAQ)

    warning   Warning
    BitLocker Drive Encryption is only available in the Windows 8/8.1 Pro and Windows 8/8.1 Enterprise editions.





    OPTION ONE
    To Turn On BitLocker for Windows 8 OS Drive with or without a TPM

    1. If you have not already, you will first need to do step 2, 3, 4, or 5 below for what you want to do.


    2. Use REG File to Allow BitLocker to Encrypt OS Drive without a TPM

    NOTE: This does the same thing as step 4 below, but automatically with a .reg file.

    A) Click/tap on the Download button below to download the file below.

    Enable_BitLocker_OS_Drive_No_TPM.reg

    download

    B) Save the .reg file to your desktop.

    C) Double click/tap on the .reg file to merge it.

    D) If prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve merging.

    E) Restart the PC to apply, and go to step 6 below to continue.

    3. Use REG File to Require Additional Authentication at Startup with a TPM

    NOTE: This does the same thing as step 5 below, but automatically with a .reg file. For example, to require USB at startup.

    A) Click/tap on the Download button below to download the file below.

    Enable_Additional_Authentication_BitLocker_OS_Drive_with_TPM.reg

    download

    B) Save the .reg file to your desktop.

    C) Double click/tap on the .reg file to merge it.

    D) If prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve merging.

    E) Restart the PC to apply, and go to step 6 below to continue.

    4. Use Group Policy to Allow BitLocker to Encrypt OS Drive without a TPM

    NOTE: This does the same thing as step 2 above.

    A) Press the + R keys to open the Run dialog, type gpedit.msc, and press Enter.

    B) If prompted by UAC, click/tap on Yes.

    C) In the left pane of Group Policy, click/tap on to expand Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption, and Operating System Drives. (see screenshot below)

    Click image for larger version

    D) In the right pane of Operating System Drives, double click/tap on Require additional authentification at startup to edit it. (see screenshot above)

    E) Select (dot) Enabled, check the Allow Bitlocker without a compatible TPM box, and click/tap on OK. (see screenshot below)
    NOTE: Not Configured is the default setting.

    Click image for larger version

    F) Close Group Policy, and go to step 6 below to continue.

    5. Use Group Policy to Require Additional Authentication at Startup with a TPM

    NOTE: This does the same thing as step 3 above, but allows you to have more options.

    A) Press the + R keys to open the Run dialog, type gpedit.msc, and press Enter.

    B) If prompted by UAC, click/tap on Yes.

    C) In the left pane of Group Policy, click/tap on to expand Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption, and Operating System Drives. (see screenshot below step 4C)

    D) In the right pane of Operating System Drives, double click/tap on Require additional authentification at startup to edit it. (see screenshot above)

    E) Select (dot) Enabled, uncheck the Allow Bitlocker without a compatible TPM box, and click/tap on OK. (see screenshot below)
    NOTE: Not Configured is the default setting.

    Click image for larger version

    F) Close Group Policy, and go to step 6 below to continue.

    6. If you have not already, choose to use either an AES 128-bit or 256-bit encryption method.
    NOTE: Windows 8 uses AES 128-bit encryption by default.


    7. Do step 8, 9, or 10 for how you would like to start to turn on BitLocker for the OS drive.


    8. Open the Control Panel (icons view), click/tap on BitLocker Drive Encryption icon. Under Operating system drive, click/tap on an arrow to expand the Windows 8 drive you want to encrypt, click/tap on the Turn on BitLocker link, and go to step 11 below. (see screenshot below)

    Click image for larger version

    9. In File Explorer, open Computer/This PC, right click or press and hold on the encrypted Windows 8 drive you want to encrypt, click/tap on Turn on BitLocker, and go to step 11 below. (see screenshot below step 10)

    10. In File Explorer, open Computer/This PC, select (highlight) the encrypted Windows 8 drive you want to encrypt, click/tap on Manage (Drive Tools) tab, click/tap on BitLocker icon in the ribbon, click/tap Turn on BitLocker, and go to step 11 below. (see screenshot below)

    Click image for larger version

    11. If you did not have the required 350 MB system drive partition, then BitLocker will now create one if able. Click/tap on Next, and Restart now when prompted. (see screenshots below)
    NOTE: You will not get this step if you do already ave at least a 350 MB system drive partition.

    Name:  Turn_On_Bitlocker_OS-3A.jpg
Views: 177305
Size:  82.4 KB

    Click image for larger version

    12. Do step 13, 14, or 15 below for what you would like to use to unlock the Windows 8 drive with at startup. (see screenshots below)

    NOTE: This will not be available with a TPM unless you did step 3 or 5 above.

    Name:  Turn_On_Bitlocker_OS-4.jpg
Views: 176550
Size:  52.8 KB

    Click image for larger version

    13. To "Insert a USB flash drive" at Boot to Unlock the OS Drive

    NOTE: This will not be available with a TPM unless you did step 3 or 5 above.

    A) Connect a USB flash drive, and click/tap on the Insert a USB flash drive option. (see screenshot below step 12)

    B) Select the USB flash drive you want to save the startup key on, click/tap on Save, and go to step 16 below. (see screenshot below)

    Name:  Turn_On_Bitlocker_OS-5.jpg
Views: 175975
Size:  36.2 KB

    14. To "Enter a password" at Boot to Unlock the OS Drive

    NOTE: This will not be available with a TPM.

    A) Click/tap on the Enter a password option. (see screenshot below step 12)

    B) Enter and reenter a password at least 8 characters long, click/tap on Next, and go to step 16 below. (see screenshot below)

    Name:  Turn_On_Bitlocker_OS-6.jpg
Views: 175812
Size:  52.8 KB

    15. To Let BitLocker Automatically Unlock OS Drive

    NOTE: This will only be available with a TPM.

    A) Click/tap on the Let BitLocker automaticalyl unlock my drive option, and go to step 16 below. (see screenshot below step 12)

    16. Select how you want to back up your BitLocker recovery key, and click/tap on Next when finished. (see screenshot below)

    Note   Note
    The Save to USB flash drive option will not be available if you are encrypting with a TPM. If you like, you could use the Save to a file option, and select a USB flash drive to save the file to though.

    If you forget the password (step 14) or lost the USB flash drive (step 13), then you can still use this recovery key (a string of 48 random numbers) to get back into the OS drive at boot.

    It's essential that you store a copy of your recovery in a safe place. If you lose it, you might permanently lose access to your files on the encrypted OS drive.
    Tip   Tip
    The Save to your Microsoft account option is only available on non-domain-joined PCs.

    If you saved the BitLocker recovery key to your Microsoft account, you will be able to log in to your Microsoft account online at the Microsoft's site below from any PC to view all of your saved recovery keys at anytime.

    http://windows.microsoft.com/recoverykey


    Name:  Turn_On_Bitlocker_OS-7.jpg
Views: 175604
Size:  64.4 KB

    17. Select (dot) to encrypt entire drive, and click/tap on Next. (see screenshot below)

    Name:  Turn_On_Bitlocker_OS-8.jpg
Views: 175520
Size:  74.8 KB

    18. Check the Run BitLocker system check box, and click/tap on Continue. (see screenshot below)
    NOTE: Running the system check is one more recommended way to make sure that BitLocker works smoothly for you, but it can take longer, and it requires your PC to restart. If you decide to run the system check, make sure you've saved your work before restarting. When your PC restarts, it will prompt you to unlock your operating system drive with the method you just chose in step 12 above.

    Name:  Turn_On_Bitlocker_OS-9.jpg
Views: 175580
Size:  79.1 KB

    19. You will now notice the BitLocker icon in the taskbar notification area. Click/tap on it, and on Restart now. (see screenshots below)

    Name:  Turn_On_Bitlocker_OS-10.jpg
Views: 174831
Size:  55.8 KB

    Note   Note
    If you selected to enter password in step 14 above, then you will be prompted to enter the password at boot when the computer restarts.

    Click image for larger version


    20. If the BitLocker system check failed from step 10 above, then you will see this below. Click/tap on Close. You are now finished since BitLocker was unable to encrypt the Windows 8 OS drive.

    Name:  Turn_On_Bitlocker_OS-11B.jpg
Views: 174673
Size:  39.2 KB

    21. If the BitLocker system check was successful from step 18 above, then after a short moment you will notice the BitLocker icon in the taskbar notification area. You can click/tap on it to see the encryption progress. (see screenshot below)
    NOTE: This may take a long time to finish, but you will still be able to use your PC during the encryption process. Just do not turn off the PC until it has finished encrypting.

    Name:  Turn_On_Bitlocker_OS-11A.jpg
Views: 174447
Size:  44.0 KB

    22. When encryption of the Windows 8 OS drive has finally finished, click/tap on Close. (see screenshot below)

    Name:  Turn_On_Bitlocker_OS-12.jpg
Views: 173914
Size:  18.7 KB

    23. Whenever you start the Windows 8 PC, you may be required to either enter a password or connect the USB flash drive depending on what you selected in step 12 above.

    Click image for larger version


    Name:  Unlocked.png
Views: 182367
Size:  47.5 KB








    OPTION TWO
    To Turn Off BitLocker for Windows 8 OS Drive

    1.
    If you have not already, you will first need to turn off auto-unlock for any encrypted fixed data drives. If you do not, then all fixed data drives that have auto-unlock turned on will also be decrypted at step 8 below.
    NOTE: This does not apply to removable data drives.

    2. Do step 3, 4, or 5 for how you would like to start.

    3. Open the Control Panel (icons view), click/tap on BitLocker Drive Encryption icon, and go to step 6 below.

    4. In File Explorer, open Computer/This PC, right click or press and hold on the encrypted Windows 8 drive you want to decrypt, click/tap on Manage BitLocker, and go to step 6 below. (see screenshot below step 5)

    5. In File Explorer, open Computer/This PC, select (highlight) the encrypted Windows 8 drive you want to decrypt, click/tap on Manage (Drive Tools) tab, click/tap on BitLocker icon in the ribbon, click/tap Manage BitLocker, and go to step 6 below. (see screenshot below)

    Click image for larger version

    6. Under Operating system drive, click/tap on the arrow to expand the Windows 8 OS drive you want to decrypt, and click/tap on the Turn off BitLocker link. (see screenshot below)

    Click image for larger version

    7. If prompted by UAC, click/tap on Yes.

    8. Click/tap on Turn off BitLocker or Decrypt all drives depending in if you turned off auto-unlock for all fixed data drives in step 1 above. (see screenshots below)
    NOTE: This may take a long time to finish, but you will still be able to use your PC during the decryption process. Just do not turn off the PC until it has finished decrypting.

    Click image for larger version

    9. You will now notice the BitLocker icon in the taskbar notification area. You can click/tap on it to see the decryption progress. (see screenshot below)

    Name:  Turn_Off_Bitlocker_OS-4.jpg
Views: 174048
Size:  45.4 KB

    10. When decryption of the drive has finally finished, click/tap on Close. (see screenshot below)

    Name:  Turn_Off_Bitlocker_OS-5.jpg
Views: 173460
Size:  18.4 KB

    11. If you like, you could also do step 12 or 13 below to set the default setting to require BitLocker to only encrypt an OS drive with a TPM (step 2 and 4 in OPTION ONE) and not require additional authentification for a TPM (step 3 and 5 in OPTION ONE) if you like.

    12. To Use a Reg File to Undo Step 2, 3, 4, or 5 in OPTION ONE

    A) Click/tap on the Download button below to download the file below.

    Disable_BitLocker_OS_Drive_No_TPM.reg


    download

    B) Save the .reg file to your desktop.

    C) Double click/tap on the .reg file to merge it.

    D) If prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve merging.

    E) Restart the PC to apply.

    13. Use Group Policy to Undo Step 2, 3, 4, or 5 in OPTION ONE

    A) Press the + R keys to open the Run dialog, type gpedit.msc, and press Enter.

    B) If prompted by UAC, click/tap on Yes.

    C) In the left pane of Group Policy, click/tap on to expand Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption, and Operating System Drives. (see screenshot below step 4C in Option One)

    D) In the right pane of Operating System Drives, double click/tap on Require additional authentification at startup to edit it. (see screenshot below step 4C in Option One)

    E) Select (dot) Not Configured, and click/tap on OK. (see screenshot below step 4E in Option One)
    NOTE: This is the default setting.

    F) Close Group Policy.


    That's it,
    Shawn


  2. #1


    Posts : 26
    Windows 8 Pro 64 Bit


    Currently I have only one one HDD on my Win 8 Pro x64 laptop. There is only one partition (C: System/OS and all my other data).
    My HDD is almost full!
    My question is if I encrypt the entire HDD using BitLocker, meaning encrypt my one and only drive which would mean encrypting my entire HDD, how would my laptop's performance will be affected?

    BitLocker asks for the password in very beginning, at boot, before OS is loaded right?

    Once I enter my password for BitLocker and OS is loaded and I am on my desktop using it normally, how will BitLocker get in my face? Like locking the drive after certain amount of idle time or something?

    Thank You for your helpful tips.

      My System SpecsSystem Spec

  3. #2


    Posts : 21,597
    64-bit Windows 10


    Hello McNeil,

    Other than having to enter the BitLocker password at startup to unlock your OS drive, your computer's performance will not be affected at all.

    Once you enter your BitLocker password at startup, your OS drive will remain unlocked until you either restart or shut down the computer.

    What concerns me more is that your HDD is almost full. If you only have one partition and do not have the 350 MB System Reserved partition (no drive letter), one will be created for you. If there's not enough free space, then it will not be able to, and BitLocker will not encrypt the HDD then.

    I would recommend to free up as much space as able to on your HDD first. One option, is to add a second HDD to your laptop if able, and store your data files (documents, music, etc....) on it instead.

    Hope this helps,
    Shawn
      My System SpecsSystem Spec

  4. #3


    Posts : 26
    Windows 8 Pro 64 Bit


    Shawn,

    Out of my 640 GB (5400 RPM) HDD, currently 53 GB is free. I deleted my system partition and recovery partition, combined all that and made one big partition, to manage my HDD space before I updated my Win 7 to Win 8. I know it wasn't very good idea but I didn't had other choice.

    About the BitLocker,
    350 MB System Partition is not a problem, since it will be self created and I've enough space for it.

    So once I encrypt HDD using BitLocker, say before boot I want to go to my boot menu or want to boot from CD/DVD/USB would I still have to provide BitLocker password? I just want to make sure that if my laptop gets into wrong hands, then there are no ways to bypass BitLocker encryption and get access to my HDD data without the password.

    If I entirely encrypt my drive now, then what about the future data?
    So if I delete something, or add/create/download new files to the HDD, will it be automatically encrypted (since by BitLocker will be on) or not?

    And should I let say re-encrypt the drive every month due to changes in files (add/delete) or just once performed encryption is good for lifetime or at least few years?
      My System SpecsSystem Spec


  5. #4


    Posts : 21,597
    64-bit Windows 10


    When you encrypt the OS drive, it and everything you have on it will remain always encrypted until you either temporarily suspend BitLocker or turn off BitLocker for the drive. Anything you save to a BitLocker encrypted drive will also be encrypted by default.

    I never say never since I'm sure that there are some professional tools out there will be able to get pas BitLocker, but there not going to be available to the average person due to their cost and/or skills needed. However, using BitLocker with 256-bit AES will sure make it practically impossible to crack.
      My System SpecsSystem Spec

  6. #5


    Posts : 26
    Windows 8 Pro 64 Bit


    I just wanted to make sure that encrypting my laptop with BitLocker would be safe, secure, and useful.
    You've satisfied my curiosity.
    Thank You Shawn.
      My System SpecsSystem Spec

  7. #6


    Posts : 21,597
    64-bit Windows 10


    You're most welcome McNeil.
      My System SpecsSystem Spec

  8. #7


    Posts : 26
    Windows 8 Pro 64 Bit


    So I successfully encrypted my HDD with BitLocker, and it does asks for password before loading OS.
    BUT before BitLocker loads I can still go to my Setup Menu using F2, and to my Boot Menu using F12.
    Seems like I can boot the computer from external boot device (CD/DVD) and get access to my data on HDD.
    And if you have access to such things than some can probably format my HDD without even knowing my BitLocker password.
    I haven't tried breaking into it so far.
    BUT THIS IS NOT SUPPOSE TO HAPPEN, BitLocker is suppose to protect my data.
      My System SpecsSystem Spec

  9. #8


    Posts : 21,597
    64-bit Windows 10


    You will still be able to format the hard drive even if BitLocker protected. Formatting is the last restore to be able to use your hard drive again if you somehow lost your recovery keys and are unable to unlock BitLocker anymore, but you do lose all data on the hard drive when you format it.

    If the drive is locked by BitLocker, you will not be able access anything on it even outside of Windows at boot.
      My System SpecsSystem Spec

  10. #9


    Posts : 165
    Windows 8


    Hello Brink,

    regarding to the "gpedit.msc" steps:
    Can you also support us with a reg file for:
    "Turn On or Off BitLocker for Windows 8 OS Drive without a TPM"
    Because most times it is faster to use a reg file instead of using gpedit.msc.
      My System SpecsSystem Spec

Page 1 of 7 123 ... LastLast
BitLocker - Turn On or Off for OS Drive in Windows 8

Similar Threads
Tutorial Forum
BitLocker Repair Tool - Recover Drive in Windows 7 and 8
How to Use BitLocker Repair Tool to Recover a Drive in Windows 7 and Windows 8 The BitLocker Repair Tool (Repair-bde) is a command-line tool included with Windows Server 2008 R2, Windows 7, Windows Server 2012, and Windows 8. This tool attempts to repair or decrypt a damaged...
Tutorials
BitLocker Auto-unlock - Turn On or Off in Windows 8
How to Turn On or Off Auto-unlock of BitLocker Encrypted Data Drives in Windows 8 Once a data drive has been protected with BitLocker, access to the drive is authenticated before the contents are displayed. A fixed data drive that has been encrypted by BitLocker will either automatically...
Tutorials
BitLocker - Turn On for Fixed Data Drives in Windows 8
How to Turn On or Off BitLocker for Fixed Data Drives in Windows 8 BitLocker Drive Encryption provides protection for operating system drives, fixed data drives, and removable data drives that are lost or stolen. BitLocker does this by encrypting the contents of drives and requiring users to...
Tutorials
BitLocker Status - Check for Drive in Windows
How to Check BitLocker Status of Drive in Windows 7 and Windows 8 BitLocker Drive Encryption provides protection for operating system drives, fixed data drives, and removable data drives that are lost or stolen. BitLocker does this by encrypting the contents of drives and requiring users to...
Tutorials
BitLocker Startup Key - Copy for OS Drive in Windows 8
How to Copy the BitLocker Startup Key for the OS Drive in Windows 8 If you encrypt the drive that Windows 8 is installed on, other than using a password to unlock the OS drive, you can also make your PC more secure by setting BitLocker Drive Encryption to require a startup key or use TPM...
Tutorials
BitLocker Recovery - Unlock a Drive in Windows 8
How to Unlock a Drive using BitLocker Recovery in Windows 8 and 8.1 There are several reasons that might make a PC go into recovery mode. For example, your organization might have a password security policy that locks you out after a certain number of failed attempts to sign in. Or perhaps...
Tutorials
BitLocker - Turn On for Removable Data Drives in Windows 8
How to Turn On or Off BitLocker To Go for Removable Data Drives in Windows 8 BitLocker Drive Encryption provides protection for operating system drives, fixed data drives, and removable data drives that are lost or stolen. BitLocker does this by encrypting the contents of drives and...
Tutorials

Eight Forums Android App Eight Forums IOS App Follow us on Facebook